Re: cipher suite filters have not been configured

[Marc Logemann]

Daniel.

not that easy to isolate a test case in terms of JAR creation and  
classpath. What IDE are u using? It would be easier to share a small  
test project.....

---
regards
Marc Logemann
http://www.logemann.org
http://www.logentis.de




Am 11.05.2009 um 18:39 schrieb Daniel Kulp:


Any chance you could package together a small test case. (maybe a  
modified
version of one of the samples?)   I've seen a couple people report  
that the
"*.http-conduit" method of config isn't working, but I haven't been  
able to
reproduce it.   If I could get a testcase that shows that it's not  
working, I
could debug it a bit to see what is going on.

Thanks!
Dan


On Sun May 10 2009 12:49:42 pm Marc Logemann wrote:
Hi,

on testing the my client with HTTPS i am getting this in the console
many times:

10.05.2009 18:42:20 org.apache.cxf.transport.https.SSLUtils
getCiphersuites
INFO: The cipher suites have not been configured, falling back to
cipher suite filters.
10.05.2009 18:42:20 org.apache.cxf.transport.https.SSLUtils
getCiphersuites
INFO: The cipher suite filters have not been configured, falling back
to default filters.
10.05.2009 18:42:20 org.apache.cxf.transport.https.SSLUtils
getCiphersFromList
INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA,
TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA,
TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.

This problem is also described in this "old" thread:
http://markmail.org/thread/kkcp6lbx26al2fo6

Of course i also tried the

    <http:conduit name="*.http-conduit">
        <http:tlsClientParameters secureSocketProtocol="SSL">
            <sec:cipherSuitesFilter>  <!-- these filters ensure that
a ciphersuite with export-suitable or null encryption is used, but
exclude anonymous Diffie-Hellman key change as this is vulnerable to
man-in-the-middle attacks -->
                <sec:include>.*_EXPORT_.*</sec:include>
                <sec:include>.*_EXPORT1024_.*</sec:include>
                <sec:include>.*_WITH_DES_.*</sec:include>
                <sec:include>.*_WITH_NULL_.*</sec:include>
                <sec:exclude>.*_DH_anon_.*</sec:exclude>
            </sec:cipherSuitesFilter>
        </http:tlsClientParameters>
    </http:conduit>

config without luck. But my cxf.xml gets read in my Test client (the
generated client of WSDL2Java).

In general the client call works with the JAX-WS-style  supplied
username and password but i really dont like the logging and i wonder
if its too slow then as mentioned in the thread above.

Thx for info on this.

---
regards
Marc Logemann
http://www.logemann.org
http://www.logentis.de

--
Daniel Kulp
dk...@apache.org
http://www.dankulp.com/blog